As we move closer to an era when a sequence of every human genome is the norm, an important question looms: who will own this data? It seems intuitive to many of us that each person owns his or her genetic data and therefore should control access. But the reality is more complex.

Consider any number of analogies: cell phone data, credit card data, email information. You have a sense of ownership for all of that, right? But it’s hard to make the case that you truly own it when Verizon Wireless, American Express, or Google has more control than you do over account access, data storage, and which other parties get to see your information. (Ahem, NSA.)

The concept of data ownership is so contentious in part because of its nature. Data moves, it morphs, and most of us can’t even say where it lives. (“The cloud” is not an answer.) For people who grew up thinking that possession is nine-tenths of the law, data is too slippery to fit into the usual framework.

Throw in the morass of regulations surrounding medical data, and you get an idea of why ownership of genetic data is such a complex issue. The Supreme Court’s verdict that companies cannot patent naturally occurring genes told us who doesn’t own our genes—that’s a start.

Depending on circumstance, genomic information may or may not be considered protected health information under the U.S. Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. That means sometimes there will be a number of barriers between you (or anyone) and that information, and other times it will be freely accessible, but in ways that supposedly prevent anyone from knowing whom the data comes from. In fact, scientists have already demonstrated that it takes remarkably little know-how to link this de-identified information, as it is known, back to its source.

With that basic protection up in the air, the federal government and many states have passed or are considering legislation that would settle the ownership question, or at least prevent discrimination based on the data. The landmark Genetic Information Nondiscrimination Act was passed by U.S. Congress in 2008 to prohibit unfair treatment based on DNA information—particularly among health insurance companies—but does not apply to providers of life, disability, or long-term care insurance. Bills introduced since then in Massachusetts, Vermont, and California aim to close those loopholes and also establish clear property rules to ensure that each individual is the sole owner of his or her genetic information.

As that piece of the puzzle is addressed, some companies are trying to solve the issue of how and where this data will be stored. Coriell Life Sciences, for example, was spun out of the nonprofit Coriell Institute for Medical Research to offer a data-hosting service for genetic information. A person’s genome sequence is stored on Coriell’s computers, and as that person needs to know more about it, approved providers can access that sequence and interpret certain sections of it.

For example, let’s say you have your genome sequenced at age 35. At the time, what you really care about is whether you’re a carrier of certain diseases, so you give permission to one interpretation service to scan the associated portions of your genome and tell you about those diseases. Later in life, you decide you want to know whether you’re at increased risk for developing Alzheimer’s disease, so you allow another interpretation company to access your DNA sequence and look for that specific genetic marker. The idea is that genetic information is safest when it is stored in one place for a person’s whole life, rather than being shipped here and there for various interpretations. The use of permissions to access certain parts of the DNA sequence adds another layer of protection.

At the moment, Coriell’s business model is geared toward physicians; it assumes they are the ones depositing data on their patients’ behalf, and they control access permissions. But as people demand more control over their data, the model could shift to put consumers in the driver’s seat. Coriell Life Sciences is just one player in a rapidly shifting field; we will see many variations on it, both better and worse, in the coming years.

Right now, few of us have personal genomic data. But consider results from any individual gene tests you may have had—or, failing that, any result from a medical test. Chances are, your physicians or hospital have a stronger ownership claim to that information than you do: they probably keep it in a file and have the authority to grant access to it as needed, whereas you might not even remember what the results were. Until consumers find it important to stake their claim for their own genetic data, this situation is likely to remain the status quo in the coming years.